SC-200

Study mode — explanations shown

1

Mitigate threats using Microsoft Defender XDR

hard

A security analyst is investigating an advanced persistent threat (APT) campaign that involves lateral movement using RDP. The analyst wants to create a custom detection rule in Microsoft 365 Defender that triggers when a device remotely connects to another device via RDP (process: mstsc.exe) and, within 10 minutes, the remote device executes a suspicious script (e.g., PowerShell.exe with encoded command). Which KQL query pattern in advanced hunting should be used to correlate these events across devices?

0 of 120 answered